Version 4.3.0 Release Notes

This release updates the kernel and OS, which includes numerous security, performance, and stability improvements.

This release allows you to block Windows script files, system files, and HTML Application files. Go to Configuration > Group Policy > Default Policy and cilck the Categories & Download Types tab to view file types and set actions.

The administrative web interface for this release supports TLS 1.2.

Support for YouTube for Schools has been removed as this service is no longer available.

Sandstorm Enhancements

You can now send files manually for testing by Sandstorm. In the Dashboard, click the Submit to Sandstorm tab, select a file or type the URL of a file, and click Submit. You can view the progress of the test in the Sandbox Activity Search page.

You can now select the data center to which you send files for analysis by Sandstorm. Go to Configuration > Global Policy > Sandstorm.

If you release a file before it is finished being analyzed by Sandstorm and if the file is later determined to be malicious, an alert is sent to all alert recipients. Go to System > Alerts & Monitoring and click the System Alerts tab.

Sandstorm reports are now retrieved using TLS 1.2.

Note Support for earlier versions of TLS will be deprecated by Sandstorm. In order to be able to retrieve Sandstorm reports, you must upgrade your appliance.

Resolved Issues

Work Order # Description
NSWA-867Fixed an issue in which policy tester result wouldn’t match the actual policy
NSWA-906Fixed an issue in which CSS files were incorrectly identified
NSWA-927Fixed an issue in which MP3 streaming media would not play correctly
NSWA-930Fixed an issue in which large local site lists could cause the UI to time out
NSWA-934Fixed an issue where trusted CA certificates were not refreshed after removing a trusted CA certificate
NSWA-935Fixed an issue in which the download scan icon displayed the incorrect status on the patience page
NSWA-936Made several improvements to the behavior of quota in SMA/SWA environments
NSWA-942Vulnerability Fix: OPENSSL DROWN as described in CVE-2016-0800 and related CVEs
NSWA-947Fixed an issue where some reports didn’t include HTTPS traffic when HTTPS scanning was disabled
NSWA-951Winbindd configuration improvements
NSWA-953Fixed an issue where the patience page wouldn’t display correctly in Firefox
NSWA-958Vulnerability Fix: SAMBA Badlock as described in CVE-2016-2118, CVE-2016-0128, CVE-2015-5370, and CVE-2016-2110 to CVE-2016-2115
NSWA-975Increased the maximum number of additional policies allowed
NSWA-977Vulnerability Fix: Openssl as described in CVE-2016-2105 to CVE-2016-2109
NSWA-980Vulnerability Fix: Fixed an issue where it was possible to evade quota settings
NSWA-982Fixed a port conflict that could cause FTP backup to fail
NSWA-984Additional file types not requiring Sandstorm analysis are now allowed through the proxy
NSWA-987Vulnerability Fix: Manual backup archive can be accessed unauthenticated by brute force. This issue was identified by Gregory Draperi.
NSWA-988Vulnerability Fix: Password hashes for administrators could be exposed on the users page. This issue was identified by Gregory Draperi.
NSWA-989Vulnerability Fix: FTP over HTTP page could be leveraged for malicious redirection. This issue was identified by Gregory Draperi.
NSWA-990Fixed an issue in which speed test upload results were slower than expected
NSWA-1144Vulnerability Fix: CVE-2016-5696 TCP
NSWA-1145Fixed an issue in which the SMAs connection to Liveconnect would fail
NSWA-1151Vulnerability Fix: OPENSSL SWEET32 as described in CVE-2016-2183
NSWA-1208 Vulnerability Fix: CVE-2016-9554. Shell command injection vulnerabilities in the SWA UI. This issue was identified by Matt Bergin of KoreLogic.